Cross-Site Request Forgery in Fast & Fancy Filter Plugin for WordPress
CVE-2026-6396

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Fast & Fancy Filter – 3f
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-6396?

The Fast & Fancy Filter – 3F plugin for WordPress is susceptible to a Cross-Site Request Forgery vulnerability due to insufficient nonce verification in the saveFields() function. This oversight permits unauthenticated attackers to manipulate plugin filter settings, alter arbitrary options, or even create new filter posts through a forged request. The attacker must deceive a site administrator into executing a specific action, such as clicking on a malicious link, thus exploiting this vulnerability.

Affected Version(s)

Fast & Fancy Filter – 3F 0 <= 1.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/fast-fancy-fil...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Muhammad Nur Ibnu Hubab

CVE-2026-6396 Data

JSON